A network engineer is configuring AAA on a Cisco ISR router to authenticate administrative users via a RADIUS server. The engineer configures the router with the command 'aaa new-model' and then 'aaa authentication login default group radius local'. When the engineer attempts to SSH to the router using a username that exists only on the RADIUS server, the authentication fails. The RADIUS server is reachable and the shared secret is correct. What is the most likely cause of the failure?
Correct because the 'group radius local' method list tries RADIUS first; if RADIUS responds with a reject (user not found), the router does not fall back to local. The fallback only occurs if the RADIUS server does not respond.
Why this answer
The RADIUS server is not configured to authenticate the user, or the RADIUS server is not responding correctly. The 'local' fallback is only used if the RADIUS server does not respond, not if it rejects the authentication. The issue is that the RADIUS server is rejecting the authentication, possibly because the user is not defined on the server or the server's configuration does not match the router's request.